RiskBowl Live
Following the success of our first RiskBowl Live session on wholesale credit risk modelling, we are delighted to announce our second get together on Model Risk & AI, to be held in late September 2025
A moderated roundtable for Model Risk industry leaders to be held our Marylebone offices to share perspectives and discuss pressing topics under Chatham House Rules.
Spaces are limited, so reach out to book your place
The inaugural session of our Oliver Wyman-moderated RiskBowl Live series brought together senior risk and modelling practitioners from the UK's largest banks. It was well-received by the attendees, which also included our guest attendee, Colin Jennings (senior ex-PRA, industry practitioner).
The discussion covered the finer points of current industry trends and practices of wholesale credit risk modelling, from more the general points, such as supervisory interactions, scales of IRB usage, and model implementation, to more segment specific questions for corporate, bank, and NBFI exposures.
Whilst we covered lots of ground, there were still many topics that we ran out of time to discuss that we will aim to cover at the next iteration of RiskBowl Live in November - reach out if you'd like to participate.
High-level Roundtable discussion summary
General IRB topics
Interaction with the Regulator
Firms do not have a clear view of PRA’s expectations on whether a model needs to be formally withdrawn or can be remediated (for example, approved with obligations similar to the ECB’s approach)
In general, models that have fewer issues are open for remediation, but in practice, banks have much more to do a lot given the moving target
It was noted that this stance may evolve with the PRA’s formal “minded to approve” approach, e.g., as they have done with mortgages models
An additional accelerator is the increased 2LoD responsibility - due to higher submission volumes, the ECB is allowing model validation teams to close lower severity findings (F1, F2) without further escalation
Raising the bar on IRB usage, including the F-IRB reversion
Several banks outlined a significant simplification of their modelling landscape over the last couple of years
Multiple institutions are evaluating F-IRB reversion for entire asset classes, contingent upon business case justification (especially where unsecured exposures are more prevalent)
It was emphasised that, consistent with CRR Article 494(d), reversion must apply to the whole asset class (or e.g., fully for the non-retail part of SME)
Model Implementation
The benefits of shadow implementation were discussed, including the ability to gather business feedback and provide evidence of use test
Although shadow implementation is a regulatory requirement under the ECB framework, its adoption for wholesale models in the UK remains limited
Segment specific questions - Corporates
Model segmentation
Historically, model segmentation has been influenced by business unit and system boundaries
Regulators are softly encouraging alignment of segmentation more closely with asset class definitions
Subsidiary rating and cascading
Count as a single obligor if it is the same rating
Credit risk officer decides if there is a support via rules (e.g., idea of an Obligor Risk Group (ORG))
LBO
Approaches to modelling LBO credit risk vary across banks: Some institutions treat LBO exposures as a calibration segment within corporate models; while others develop standalone LBO models, especially when aligned with specific business lines
When LBOs are included in corporate models, projected financials serve as input overrides, contributing to input override budget
Segment specific questions - Banks/ NBFIs
External Benchmarks (RiskCalc / Credit Benchmark)
Benchmarks are primarily used to investigate and validate developed models
Example of a funds modelling / calibration approach
Use of expert ranking approach (experts given a list of N funds to rank from 1 to N); sample size is a balance between coverage vs fatigue of experts
Van der Burgt methodology for calibration
Participants mentioned that the PRA was not focused on the sampling methodology used as long as representativeness was demonstrated
Since we wrote about geopolitical risk last year, we have seen industry practice evolve and we felt an update is warranted. Over the past six months, geopolitical risk has evolved from a peripheral factor to a structural dimension of enterprise risk management. Across client engagements in Europe, the US, and APAC, we observe a clear shift: leading banks are beginning to treat geopolitical uncertainty not just as a backdrop to macroeconomic scenarios or part of the Country Risk Teams, but as a direct risk driver.
The change is being accelerated by supervisory focus—particularly in Europe. Institutions are expected to treat geopolitical developments as a material influence on their risk profile, both from a financial and non-financial perspective. The ECB has elevated this expectation as part of its core supervisory agenda for 2025–2027, which is already shaping risk steering discussions at board level.
At a practical level, we see three main developments gaining traction:
Geopolitical risk is becoming multi-dimensional. It's no longer confined to sovereign credit or country risk. The emerging practice is clear: geopolitical risk must be treated not as a siloed topic, but as a cross-cutting input into enterprise steering—from risk appetite to capital strategy, from third-party governance to digital infrastructure planning.
Operational exposure is moving to the forefront. With increasing tension in global trade, the resilience of core operations—especially IT and critical vendor networks—is under renewed scrutiny. Cybersecurity, cloud sovereignty, and compliance with regional digital sovereignty laws (e.g. DORA) are now viewed through a geopolitical lens.
Risk management approaches are becoming more forward-thinking. Rather than waiting for events to materialize, banks are building structured response capabilities based on scenario analysis, cross-functional simulations, and targeted early-warning frameworks.
In conversations with risk and strategy executives across global banks, a common theme is emerging: the need to move from fragmented, reactive risk tracking to a coherent and mature, cross-functional framework that embeds geopolitical thinking into core risk processes.
d0f2aaf0-a352-4ff7-9158-5d46bf252bce-image.png
Figure 1: Oliver Wyman Geopolitical Risk Management Framework
While practices vary widely, two elements are consistently present among institutions leading the field, which we describe below: top-down portfolio scans for geopolitical sensitivity, and crisis simulation.
Top-Down Portfolio Scans for Geopolitical Sensitivity
Before banks can simulate or plan for geopolitical disruption, they need clarity on where they are most exposed. That requires a structured, top-down portfolio view—not just of credit and market exposures, but of operational and third-party dependencies that could be vulnerable to geopolitical shifts. Risk measurement and quantification have also made progress, where top-down portfolio analysis is typically the starting point to prioritize efforts across the existing risk types.
When starting with the analysis, the selection of portfolio scope is the first determinant. Peers are typically starting with the lending, securities and deposits portfolio on group level. When defining the scenarios for the portfolio assessment institutions employ a small set of intuitive, high-level geopolitical risk scenarios such as increasing trade and investment restrictions.
The portfolio segmentation is analyzed for vulnerability to 1st and selected 2nd order effects (especially energy / commodity prices and supply chain disruptions). For the top-down portfolio assessment, most institutions conduct a qualitative impact assessment, clearly identifying relevant risk drivers for the respective primary risk types.
Multi-format crisis simulation
Once sensitive exposure areas are identified, banks can run simulations to assess how geopolitical events would affect their operations, risk profile, and strategic posture. This is no longer a theoretical exercise. Take the energy-related grid shutdown in Spain, Portugal and France earlier this year. While the root causes were not directly geopolitical, the systemic impact mirrored what could happen in a true geopolitical escalation—forcing multiple banks to activate contingency procedures, reroute processing, and adjust liquidity buffers in real-time.
Crisis simulations with geopolitical triggers serve three key purposes:
They test multi-dimensional resilience—from financial metrics (capital, liquidity) to operational continuity and reputational response;
They sharpen cross-functional preparedness: involving risk, IT, legal, communications, and business continuity teams in a coordinated stress response; and
They surface second- and third-order effects—such as delays in reporting due to system outages, failure of key vendors in conflict regions, or jurisdictional clashes over regulatory compliance
Depending on the institution’s maturity and exposure, a range of simulation formats is currently being used, from tabletop exercises for initial risk awareness and coordination, through war-gaming scenarios that simulate adversarial moves across regulatory or geopolitical dimensions, all the way to full-scale crisis simulations, including real-time decision-making, interdepartmental coordination, and post-mortem analysis.
We are experiencing a new wave of tariff announcements and conflict in the Middle East. While short-term uncertainty may dominate headlines, leading institutions treat it as a catalyst for deliberate, long-term positioning. Key structural shifts—around global alignment, digital sovereignty, and economic fragmentation—require active engagement and banks are using this phase to start building lasting resilience through governance, scenario design, and strategic alignment.
Over the last years, banks have increasingly found themselves allocating a significant portion of their risk budgets to Internal Ratings-Based (IRB) remediation programmes. Part of the problem for some banks has been time pressure to build the models that resulted in tactical responses that gets them to the regulatory submission as fast as possible. In the various workshops we had with clients, the issues that teams raised were worryingly similar across institutions -
Models built from scratch, duplicate efforts across teams working on different portfolios (e.g., Mortgages and Credit cards)
Hard-coded and brittle model architecture makes it difficult to adopt to changing business and regulatory requirements
Reliance on legacy tools (Excel, SAS) hinders building modelling pipelines and implementation speed
Manual processes in data preparation, model documentation and validation increase error risk, reduce quality
However, banks which demanded more from their analytical teams have invested more into getting the programme right to get more out of it. The question they asked was "How will investment help us to develop analytics in an efficient and effective way in the future?". We have worked with UK and EU banks to develop effective approaches to build sustainable and integrated modelling capabilities that span the entire lifecycle
8b69b09f-ef28-431d-acde-52c4421609f7-image.png
Figure 1: Summary of efficiency levers across the model development cycle
Three key focus areas of banks have been the following
1. New data operating model for the regulatory models
In the past, modelling and analytical teams were usually responsible for sourcing and preparing the data alongside their full-time modelling job. Given the scale of the regulatory requirements for data for IRB modelling (i.e., need to go back to 1990s downturn), this took significant time and effort from modelling teams. Additionally, modelling teams do not always possess data engineering skillset, which can lead to sub-optimal quality of the datasets produced making them not reusable going forward.
With the new data operating model we observe Data Engineers leading the data sourcing process and the new Data Development team acting as an intermediary between the two teams. This approach allows not only for better quality data which results in more robust models but also creates strategic data assets to ensure replicability of the process in the future and makes implementation of the models easier.
4cea63b3-0e1a-4f8a-b172-e6a5ce17051f-image.png
Figure 2: Revised way of working between business and data engineers
2. Development of a centralized toolkit
When working with the UK banks of IRB remediation programmes, we have brought in the centralized modelling and engineering teams that have created reusable modularized codebases. We have also worked with the internal validations teams to use this as an opportunity to centralize the 2nd LoD effort (from a model risk perspective) – for example, if certain modules of the codebase (e.g., linear regression, SFA, MFA) are centrally reviewed and approved by the internal validation team, this reduces the time required for review and validation of each individual model. This is resulting in significant gains in end-to-end model development timelines and avoiding the risk of low quality / inconsistent analytics code. Additionally, this centralized codebase can be deployed to a broad range of modelling and analytical projects beyond IRB work (e.g., IFRS9, Credit decisioning).
There are still challenges in maintaining this codebase as a continuous operating model. Industry should be open to thinking of novel ways to get this challenge right, that could bring in cost savings, the ability to embed new technologies (like AI) with less friction and better analytics outcomes (e.g., analytics utilities, centralized services).
3. Implementation of the models
As a result of the challenges described above, we observe model implementation costs increasing and the speed of adoption decreasing over recent years. However, developing strategic data assets (as described in 1) and centralized modular model codebase (as described in 2) makes model implementation and deployment faster and more cost-efficient. Additionally, as proven by our work with the UK banks, using these approaches allows the reduction of ongoing maintenance costs (e.g., Cloud storage and data querying costs) significantly.
Welcome to RiskbOWl – the first closed community of Risk professionals to share ideas, best practices and get a sense of peer practice, with the ability to anonymously ask questions, share perspectives, run targeted polls, and discuss recent regulatory developments. Find out the latest developments in the RiskbOWl community, including user guidelines, community rules, and latest functionality
Discover our latest thinking across hot topics in risk management, drawn from serving the world's leading financial institutions and deep, industry-renowned expertise across risk and finance topics, including surveys, primers and points-of-view
Use this space for questions or broader topics pertaining to risk management, from the latest industry trends and regulatory developments, to the latest news and risk headlines potentially impacting the sector
With the global economy entering what can only be described as a critical inflection point, particularly in terms of trade, institutions are mobilising to better understand how the recent upending of trading relations will impact either lending portfolios or operations in the short term, and impacts of the shifting geopolitical landscape in the longer term. Join the discussion and compare notes on how your peers are managing these novel risks
The dedicated space to converse with peers and our experts on all aspects of credit risk, from the technicalities of modelling using internal approaches, credit decisioning and underwriting, credit risk appetite, governance and monitoring, provisioning, and regulatory requirements
Recent years has seen the Treasury shoot up the agenda given the length of time the sector had operated in much more benign interest rate conditions. Sector turmoil in 2023 prompted supervisors and banks alike to ensure their ALM, liquidity, and interest rate risk capabilities were adequate for new rate realities. Discover the latest in our dedicated Treasury channel
The channel for all areas pertaining to the ability of institutions to deliver critical operations through disruption, comprising of prudential risk frameworks, internal governance, outsourcing, business continuity and crisis response. Recent years has seen much more scrutiny on the reliance of institutions on technology and third parties, with the former very much on the supervisory agenda, perhaps most explicitly embodied with the advent of the Digital Operational Resilience Act (DORA) in Europe
With an increasingly complex and interlinked risk landscape, comes an equally complex, corresponding regulatory framework, and it's no surprise how high up regulatory compliance now features on the bank agenda. Check in with your peers on the issues driving this key risk management capability, including compliance operating model, regulatory horizon scanning, and financial crime compliance
Channel dedicated to discussion on the supervisory and societal expectations driving banks to meet their sustainability goals, by embedding ESG criteria into enterprise risk management frameworks to address climate-related and social risks, as well as financial institution's climate risk stress testing capabilities, and disclosure requirements
From supervisory exercises, to internal scenario-planning, crisis simulation and war gaming, stress testing has become an established, post-GFC, risk management tool that institutions are expected to have in place in order to demonstrate the sustainability of their business model and ensure ongoing confidence in the bank. Discover the latest on stress testing in our dedicated channel
Whilst dedicated risk management for the development, monitoring and validation of risk models has been long established, the advances in technology, analytics and data driving the banking industry has promoted such model risk frameworks to be updated and enhanced accordingly. Discover the latest impacting your peers across the model lifecycle - model definition, model vs non-model scope, validation, monitoring, periodic review, model risk reporting and governance
Organisational culture has long been recognized as a key component of risk-taking and risk-adverse behaviours, making it an important dimension underpinning the overall effectiveness of risk management more broadly within an organisation. Use this dedicated space for more discussion on methodologies, values, and behaviours within an organization that shape its approach to risk management and overall awareness and understanding of risk
With as much change in the risk landscape and operating environment, discover insights and discussion on how developments in data and analytics are impacting risk functions, including deployment of AI, regulatory pressures such as BCBS239
Got a question? Ask away!